Netlux Antivirus 1.0.1.8 Session Manager Service Privilege Escalation


Vendor: Netlux Systems Private Limited.
Product web page: http://www.netluxantivirus.com
Affected version: 1.0.1.8 and 1.0.1.4

Summary: Netlux Antivirus is an award-winning product that provides
comprehensive protection against all types of viruses,trojans,malwares
and spywares, secures your data, protects your privacy and ensures
your PC remains virus-free.

Desc: The Netlux Antivirus suffers from an unquoted search path issue
impacting the Session Manager Service 'NXSessSvc' service for Windows
deployed as part of Netlux Antivirus package. This could potentially
allow an authorized but non-privileged local user to execute arbitrary
code with elevated privileges on the system. A successful attempt would
require the local user to be able to insert their code in the system
root path undetected by the OS or other security applications where it
could potentially be executed during application startup or reboot. If
successful, the local user’s code would execute with the elevated
privileges of the application.

Tested on: Microsoft Windows Ultimate SP1 (EN)


Vulnerability discovered by Gjoko 'LiquidWorm' Krstic
                            @zeroscience


Advisory ID: ZSL-2015-5245
Advisory URL: http://www.zeroscience.mk/en/vulnerabilities/ZSL-2015-5245.php


01.06.2015

---


C:\Users\User>sc qc NXSessSvc
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: NXSessSvc
        TYPE               : 10  WIN32_OWN_PROCESS
        START_TYPE         : 2   AUTO_START
        ERROR_CONTROL      : 1   NORMAL
        BINARY_PATH_NAME   : C:\Program Files (x86)\Netlux\NetluxAntivirus\NXSRV.exe
        LOAD_ORDER_GROUP   :
        TAG                : 0
        DISPLAY_NAME       : Netlux Session Manager Service
        DEPENDENCIES       :
        SERVICE_START_NAME : LocalSystem

C:\Users\User>